AWS IAM Tracker

This project collects IAM actions, AWS APIs and managed policies from various public sources.

You can explore the data collected using the static site.

Collected data is published to the policies and services folders in this repo.

Thank you to alanakirby/aktion for originally having this idea and being gracious about me shamelessly ripping it off.

Stats

Unique services: 213
Unique actions: 7732
Managed policies: 615

Most common managed policy name prefixes:

Policy ARN	Count
`arn:aws:iam::aws:policy/AWS*`	175
`arn:aws:iam::aws:policy/Amazon*`	164
`arn:aws:iam::aws:policy/aws-service-role/*`	111
`arn:aws:iam::aws:policy/service-role/*`	96
`arn:aws:iam::aws:policy/job-function/*`	7
Other	62

The following table summarises the AWS APIs.

The first column is the name of the API as far as IAM policies are concerned.
The second column is IAM actions that exactly match the names of invokable APIs exposed by AWS.
The third column is invokable APIs that don't have a corresponding IAM action.
The fourth column is IAM actions that don't have a corresponding invokable API.

Service	Action/API pairs	APIs without actions	Actions without APIs
`ec2`	361	35	0
`iam`	140	0	1
`sagemaker`	137	0	2
`glue`	123	0	1
`ssm`	121	0	7
`rds`	111	15	1
`ses`	103	8	0
`lightsail`	101	4	0
`cognito-idp`	100	0	0
`chime`	91	0	49
`greengrass`	90	0	0
`redshift`	86	0	18
`mobiletargeting`	83	22	0
`servicecatalog`	83	0	0
`waf-regional`	80	0	0
`a4b`	77	16	3
`waf`	76	0	0
`codecommit`	75	0	11
`opsworks`	73	1	0
`gamelift`	73	0	0
`storagegateway`	71	4	0
`devicefarm`	67	0	0
`clouddirectory`	62	4	0
`config`	59	19	2
`route53`	56	0	0
`elasticloadbalancing`	54	0	1
`autoscaling`	54	0	0
`s3`	53	48	39
`directconnect`	53	0	0
`comprehend`	51	0	0
`ds`	49	8	6
`guardduty`	49	1	0
`appstream`	47	0	3
`organizations`	47	0	0
`codedeploy`	46	0	0
`cloudformation`	45	10	3
`dms`	45	2	0
`kms`	45	1	2
`cloudfront`	45	0	0
`ecs`	44	4	2
`elasticbeanstalk`	43	1	2
`backup`	43	0	0
`elasticache`	42	6	0
`dynamodb`	42	3	6
`workdocs`	41	0	10
`rekognition`	41	0	0
`imagebuilder`	40	2	0
`personalize`	39	3	0
`logs`	39	0	5
`mechanicalturk`	39	0	0
`securityhub`	38	0	0
`lambda`	37	12	2
`medialive`	37	6	0
`appsync`	36	5	1
`robomaker`	36	0	0
`codepipeline`	36	0	0
`lex`	35	6	0
`iotthingsgraph`	35	0	0
`swf`	34	3	12
`iotanalytics`	33	1	0
`workmail`	33	0	53
`sns`	33	0	0
`glacier`	33	0	0
`workspaces`	32	8	0
`inspector`	32	5	0
`amplify`	32	5	0
`events`	31	0	0
`worklink`	30	0	0
`frauddetector`	30	0	0
`codebuild`	29	0	7
`ecr`	29	0	0
`cloudwatch`	29	0	0
`cloudhsm`	28	3	0
`connect`	28	1	6
`cloudsearch`	28	1	4
`sms`	28	0	2
`appmesh`	28	0	1
`networkmanager`	28	0	0
`machinelearning`	28	0	0
`elasticmapreduce`	27	3	8
`schemas`	27	2	0
`forecast`	27	0	0
`datasync`	27	0	0
`kinesis`	26	2	0
`kinesisvideo`	26	0	3
`iot1click`	26	0	0
`mediaconvert`	25	0	0
`groundstation`	25	0	0
`discovery`	25	0	0
`kinesisanalytics`	24	2	1
`route53domains`	23	1	0
`states`	22	0	0
`route53resolver`	22	0	0
`mq`	22	0	0
`dataexchange`	22	0	0
`es`	21	2	5
`dax`	21	0	9
`eks`	21	0	0
`cognito-identity`	21	0	0
`mediastore`	20	3	0
`iotevents`	20	0	1
`xray`	20	0	0
`sqs`	20	0	0
`servicediscovery`	20	0	0
`kendra`	20	0	0
`acm-pca`	20	0	0
`athena`	19	0	11
`datapipeline`	19	0	2
`mgh`	19	0	0
`ce`	19	0	0
`codestar`	18	0	3
`transfer`	18	0	0
`secretsmanager`	18	0	0
`managedblockchain`	18	0	0
`cloudtrail`	18	0	0
`access-analyzer`	18	0	0
`applicationinsights`	17	9	0
`ram`	17	6	0
`snowball`	17	2	0
`kafka`	17	2	0
`shield`	17	1	0
`cognito-sync`	17	0	2
`globalaccelerator`	17	0	0
`elastictranscoder`	17	0	0
`quicksight`	16	49	8
`qldb`	16	0	3
`servicequotas`	16	0	0
`batch`	16	0	0
`opsworks-cm`	15	1	0
`license-manager`	15	1	0
`mediapackage`	14	4	0
`mediaconnect`	14	3	0
`support`	14	0	8
`elasticfilesystem`	14	0	2
`fms`	14	0	0
`serverlessrepo`	13	0	1
`lakeformation`	13	0	1
`codestar-notifications`	13	0	0
`acm`	13	0	0
`signer`	12	0	0
`resource-groups`	12	0	0
`mediapackage-vod`	12	0	0
`firehose`	12	0	0
`aws-marketplace`	11	0	31
`fsx`	11	0	0
`sdb`	10	0	0
`cloud9`	10	0	0
`application-autoscaling`	10	0	0
`transcribe`	9	0	1
`polly`	9	0	0
`mobilehub`	8	1	15
`iot`	8	0	175
`sts`	8	0	1
`tag`	8	0	0
`sms-voice`	8	0	0
`savingsplans`	8	0	0
`dlm`	8	0	0
`mediatailor`	7	0	0
`macie`	7	0	0
`textract`	6	0	0
`rds-data`	6	0	0
`importexport`	6	0	0
`health`	6	0	0
`compute-optimizer`	6	0	0
`autoscaling-plans`	6	0	0
`translate`	5	0	0
`cur`	4	0	0
`pricing`	3	0	0
`comprehendmedical`	2	9	0
`pi`	2	0	0
`mobileanalytics`	1	0	2
`workmailmessageflow`	1	0	0
`ec2-instance-connect`	1	0	0
`execute-api`	0	209	3
`apigateway`	0	148	7
`wafv2`	0	36	0
`appconfig`	0	29	0
`budgets`	0	14	2
`codeguru-profiler`	0	9	0
`IoTSecuredTunneling`	0	7	0
`outposts`	0	5	0
`codeguru-reviewer`	0	4	0
`awsssoportal`	0	4	0
`elastic-inference`	0	3	1
`ebs`	0	3	0
`awsssooidc`	0	3	0
`marketplacecommerceanalytics`	0	2	0
`iotsitewise`	0	0	77
`sso`	0	0	53
`sso-directory`	0	0	37
`deepracer`	0	0	26
`appmesh-preview`	0	0	26
`deeplens`	0	0	24
`trustedadvisor`	0	0	12
`chatbot`	0	0	12
`freertos`	0	0	11
`synthetics`	0	0	9
`dbqms`	0	0	9
`launchwizard`	0	0	8
`aws-portal`	0	0	7
`ec2messages`	0	0	6
`cassandra`	0	0	5
`aws-marketplace-management`	0	0	5
`wellarchitected`	0	0	4
`ssmmessages`	0	0	4
`groundtruthlabeling`	0	0	4
`artifact`	0	0	4
`account`	0	0	3
`sumerian`	0	0	2
`wam`	0	0	1
`rds-db`	0	0	1
`neptune-db`	0	0	1
`backup-storage`	0	0	1

Most common action prefixes:

Prefix	Count
`List`	1048
`Get`	1031
`Describe`	984
`Delete`	911
`Create`	840
`Update`	635
`Put`	214
`Start`	131
`Modify`	103
`Tag`	95

rupertbg/trackiam

AWS IAM Tracker

Stats